Data processing method, related device and storage medium
By combining local and cloud-based methods to identify and process attack signatures in LoRaWAN networks, this technology addresses the security deficiencies in existing technologies, automates attack behavior processing, and improves the security of LoRaWAN networks.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- TENCENT TECHNOLOGY (SHENZHEN) CO LTD
- Filing Date
- 2021-01-25
- Publication Date
- 2026-06-19
AI Technical Summary
The security of existing LoRaWAN networks mainly relies on the security awareness of project deployment personnel, lacking an effective automated attack handling mechanism, resulting in insufficient security for long-distance wireless communication networks.
The system employs a combined local and cloud approach to identify attack behaviors. It automatically detects attack characteristics in network data through data processing devices. If the data exhibits the first type of attack characteristics, it is transmitted to the cloud for processing. If the data exhibits the second type of attack characteristics, access is blocked locally. Specifically, this includes suspicious attack characteristics, malicious attack characteristics that require remote processing, and malicious attack characteristics that require local processing.
It improves the security of LoRaWAN networks, automates the identification and handling of attacks, reduces reliance on human intervention, and enhances the network's protection capabilities.
Smart Images

Figure CN114793336B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a data processing method, related equipment and storage medium. Background Technology
[0002] With the gradual development of new digital infrastructure, smart cities, smart industries, and smart agriculture will become increasingly prevalent. The development of these smart scenarios relies heavily on long-distance communication networks, such as Low-Power Wide-Area Networks (LPWAN) or Low-Power Networks (LPN). Among LPWAN technologies, LoRa has become a mainstream technology due to its low power consumption and long communication range. LoRaWAN is a protocol and system architecture designed for long-distance wireless communication networks based on LoRa. Many smart projects have adopted LoRaWAN, such as smart water and electricity meters and smart parking sensors. With the increasing popularity of LoRaWAN, security risks are becoming a growing concern for smart scenarios.
[0003] Current security research on LoRaWAN primarily focuses on the attacker's perspective, providing attack strategies for LoRaWAN networks and offering deployment personnel potential attack methods to improve their security awareness and capabilities. However, such methods or solutions rely heavily on the security awareness of deployment personnel and offer limited protection for long-distance wireless communication networks. Therefore, how to handle attacks in long-distance wireless communication networks has become a hot research topic. Summary of the Invention
[0004] This invention provides a data processing method, related equipment, and storage medium that can automatically identify attack behaviors in long-distance wireless communication networks and block attacks on long-distance wireless communication networks using a combination of local and cloud methods, thereby improving the security of long-distance wireless communication networks.
[0005] On one hand, embodiments of the present invention provide a data processing method, characterized in that it includes:
[0006] Acquire network data in long-distance wireless communication networks and perform attack signature detection on the network data;
[0007] If the network data exhibits characteristics of a Type I attack, the network data will be transmitted to a cloud device so that the cloud device can process the network data for abnormality. Type I attack characteristics refer to suspicious attack characteristics or malicious attack characteristics that require remote processing.
[0008] If network data exhibits characteristics of a second type of attack, then the network data's access to the long-distance wireless communication network will be blocked; the second type of attack characteristics refer to malicious attack characteristics that require local processing.
[0009] On one hand, embodiments of the present invention provide a data processing method, characterized in that it includes:
[0010] The data processing device receives network data from a long-distance wireless communication network. The network data has the characteristics of a first type of attack. The first type of attack characteristics include suspicious attack characteristics or malicious attack characteristics that require remote processing. The first type of attack characteristics are determined by the data processing device when it performs attack characteristic detection on the network data.
[0011] Based on the type of attack characteristics of the first category, abnormal data processing is performed on the network data.
[0012] On one hand, embodiments of the present invention provide a data processing device, characterized in that it includes:
[0013] The data acquisition module is used to acquire network data in long-distance wireless communication networks;
[0014] The attack signature detection module is used to detect attack signatures in network data.
[0015] The attack signature detection module is also used to transmit network data to a cloud device if the network data has the characteristics of the first type of attack, so that the cloud device can perform abnormal data processing on the network data; the first type of attack signature refers to suspicious attack signatures or malicious attack signatures that need to be processed remotely.
[0016] The intrusion blocking module is used to block network data from accessing long-distance wireless communication networks if the network data has the characteristics of a second type of attack; the second type of attack characteristics refer to malicious attack characteristics that need to be processed locally.
[0017] In one embodiment, the long-range wireless communication network is a LoRaWAN network designed based on the long-range radio technology LoRa. The long-range wireless communication network includes LoRaWAN node devices, core network servers, and gateway devices. The network environment of the long-range wireless communication network includes wireless sensor networks or Ethernet networks.
[0018] If the network environment of the long-distance wireless communication network is an Ethernet network, then the network data refers to the Ethernet data sent to the target port of the gateway device and the core network server; if the network environment of the long-distance wireless communication network is a wireless sensor network, then the network data refers to the radio data related to long-distance radio technology in the long-distance wireless communication network.
[0019] In one embodiment, if the network environment of the long-distance wireless communication network is an Ethernet network, the malicious attack characteristics that need to be processed locally include any one or more of the following: unauthorized malicious access based on known communication protocols, malicious login to core network servers or gateway devices, malicious database access, and access to target ports of gateway devices and core network servers of a preset type.
[0020] If the network environment of the long-distance wireless communication network is an Ethernet network, the malicious attack characteristics that need to be handled remotely include any one or more of the following: malicious network access of LoRaWAN node devices in the long-distance wireless communication network, malicious attack on LoRaWAN node devices using target vulnerabilities, and long-distance wireless communication network counting sequence replay attack.
[0021] In one embodiment, when the intrusion blocking module blocks network data from accessing a long-distance wireless communication network if the network data exhibits characteristics of a second type of attack, it performs the following steps:
[0022] If the network data exhibits characteristics of a second type of attack, the number of times the network data appears within a preset time period is determined; the network data is then blocked based on the number of times it appears.
[0023] In one embodiment, when the intrusion blocking module blocks network data based on the frequency of its occurrence, it performs the following steps:
[0024] If the number of times network data appears within a preset time period is less than or equal to the number of occurrences threshold, then network data access to the long-distance wireless communication network will be blocked.
[0025] If the number of times network data appears within a preset time period exceeds a threshold, and each occurrence of network data is generated by the target device, then the target device's access to the long-distance wireless communication network is blocked. If the number of times network data appears within a preset time period exceeds a threshold, and each occurrence of network data is generated by a different device, then the data protocol corresponding to the network data is determined, and the data protocol is repaired.
[0026] On one hand, embodiments of the present invention provide a cloud device, characterized in that it includes:
[0027] The receiving module is used to receive network data from a long-distance wireless communication network sent by the data processing device. The network data has the characteristics of a first type of attack. The characteristics of a first type of attack include suspicious attack characteristics or malicious attack characteristics that require remote processing. The characteristics of a first type of attack are determined by the data processing device when it performs attack characteristic detection on the network data.
[0028] The processing module is used to perform abnormal data processing on network data based on the type of the first type of attack characteristics.
[0029] In one embodiment, the processing module includes a security response module and a data analysis module. When the processing module performs abnormal data processing on network data according to the type of the first type of attack characteristics:
[0030] The security response module is used to output an anomaly handling notification if the type of the first type of attack feature is a malicious attack feature that requires remote processing. The anomaly handling notification is used to instruct maintenance personnel to block network data access to the long-distance wireless communication network.
[0031] The data analysis module is used to store and analyze abnormal network data if the type of the first type of attack characteristics is a suspicious attack characteristic.
[0032] In one embodiment, when the security response module outputs an exception handling notification if the type of the first type of attack signature is a malicious attack signature requiring remote processing, it performs the following steps:
[0033] The processing priority of network data is determined based on the attack severity of the first type of attack characteristics on the long-distance wireless communication network; the notification method is determined based on the processing priority of network data; and anomaly handling notifications are output according to the notification method.
[0034] In one embodiment, the processing module is further configured to, if a new attack signature is detected, match the first type of attack signature with the new attack signature; if the first type of attack signature matches the new attack signature successfully, then use the attack blocking strategy corresponding to the new attack signature to block the network data.
[0035] In one embodiment, the processing module is further configured to call the attack behavior analysis model to analyze the network data to determine whether the first type of attack feature is a malicious attack feature that needs to be blocked; if the first type of attack feature is a malicious attack feature that needs to be blocked, then a mark to be blocked is added to the network data so that when the cloud device blocks the network data marked to be blocked, it blocks the network data from accessing the long-distance wireless communication network.
[0036] In one aspect, embodiments of the present invention provide a computer device, characterized in that it includes: a processor adapted to implement one or more first computer programs; and a computer storage medium storing one or more first computer programs, the one or more first computer programs being adapted to be loaded and executed by the processor.
[0037] The system acquires network data from a long-distance wireless communication network and performs attack signature detection on the network data. If the network data exhibits a first type of attack signature, the network data is transmitted to a cloud device for abnormal data processing. The first type of attack signature refers to suspicious attack signatures or malicious attack signatures requiring remote processing. If the network data exhibits a second type of attack signature, the system blocks the network data from accessing the long-distance wireless communication network. The second type of attack signature refers to malicious attack signatures requiring local processing.
[0038] Alternatively, the processor is adapted to implement one or more second computer programs, and one or more second computer programs are stored in a computer storage medium, the one or more computer programs being adapted to be loaded and executed by the processor:
[0039] The system receives network data from a long-distance wireless communication network sent by a data processing device. The network data possesses first-type attack characteristics, which include suspicious attack characteristics or malicious attack characteristics requiring remote processing. The first-type attack characteristics are determined by the data processing device when detecting attack characteristics in the network data. Based on the type of the first-type attack characteristics, the system performs abnormal data processing on the network data.
[0040] On one hand, embodiments of the present invention provide a computer storage medium, characterized in that the computer storage medium stores a first computer program, which, when executed by a processor, performs the following steps:
[0041] The system acquires network data from a long-distance wireless communication network and performs attack signature detection on the network data. If the network data exhibits a first type of attack signature, the network data is transmitted to a cloud device for abnormal data processing. The first type of attack signature refers to suspicious attack signatures or malicious attack signatures requiring remote processing. If the network data exhibits a second type of attack signature, the system blocks the network data from accessing the long-distance wireless communication network. The second type of attack signature refers to malicious attack signatures requiring local processing.
[0042] Alternatively, the computer storage medium stores a second computer program that, when executed by the processor, performs the following steps:
[0043] The system receives network data from a long-distance wireless communication network sent by a data processing device. The network data possesses first-type attack characteristics, which include suspicious attack characteristics or malicious attack characteristics requiring remote processing. The first-type attack characteristics are determined by the data processing device when detecting attack characteristics in the network data. Based on the type of the first-type attack characteristics, the system performs abnormal data processing on the network data.
[0044] On one hand, embodiments of the present invention provide a computer program product or a computer program, the computer program product including a first computer program stored in a computer-readable storage medium; a processor of a computer device reads the first computer program from the computer storage medium, and the processor executes the first computer program, causing the computer device to perform:
[0045] The system acquires network data from a long-distance wireless communication network and performs attack signature detection on the network data. If the network data exhibits a first type of attack signature, the network data is transmitted to a cloud device for abnormal data processing. The first type of attack signature refers to suspicious attack signatures or malicious attack signatures requiring remote processing. If the network data exhibits a second type of attack signature, the system blocks the network data from accessing the long-distance wireless communication network. The second type of attack signature refers to malicious attack signatures requiring local processing.
[0046] Alternatively, the computer product includes a second computer program stored in a computer-readable storage medium, the processor of the computer device reading the second computer program from the computer storage medium, causing the processor to execute the second computer program, and causing the computer device to perform:
[0047] The system receives network data from a long-distance wireless communication network sent by a data processing device. The network data possesses first-type attack characteristics, which include suspicious attack characteristics or malicious attack characteristics requiring remote processing. The first-type attack characteristics are determined by the data processing device when detecting attack characteristics in the network data. Based on the type of the first-type attack characteristics, the system performs abnormal data processing on the network data.
[0048] In this embodiment of the invention, the data processing device acquires network data from a long-distance wireless communication network and performs attack feature detection on the network data. If the network data is detected to possess a first type of attack feature, it is sent to a cloud device so that the cloud device can perform abnormal data processing on the network data. The first type of attack feature includes suspicious attack features or malicious attack features that require remote processing. If the network data is detected to possess a second type of attack feature, access to the long-distance wireless communication network by the network data is blocked. The second type of attack feature refers to malicious attack features that require local processing. As can be seen from the above network data processing process, in this embodiment of the invention, the data processing device and the cloud device jointly protect or block network data with attack features in a long-distance wireless communication network, preventing the network data with attack features from causing malicious impact on the long-distance wireless communication network, thereby improving the security of the long-distance wireless communication network. Attached Figure Description
[0049] To more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the following description of the embodiments will be briefly introduced. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0050] Figure 1 This is a schematic diagram of the structure of a network protection system provided in an embodiment of the present invention;
[0051] Figure 2 This is a flowchart illustrating the data processing method provided in an embodiment of the present invention;
[0052] Figure 3 This is a flowchart illustrating network protection using a data processing device according to an embodiment of the present invention;
[0053] Figure 4 This is a schematic diagram of an attack feature detection method provided in an embodiment of the present invention;
[0054] Figure 5 This is a flowchart illustrating another data processing method provided in an embodiment of the present invention;
[0055] Figure 6 This is a flowchart illustrating network protection for a cloud device according to an embodiment of the present invention;
[0056] Figure 7 This is a schematic diagram of a computer device provided in an embodiment of the present invention. Detailed Implementation
[0057] The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
[0058] This invention proposes a security protection scheme for long-distance wireless communication networks. In its specific implementation, a data processing device can collect network data from the long-distance wireless communication network and then perform attack feature detection on the network data. If the network data has suspicious attack features or malicious attack features that require remote processing, the network data is transmitted to the cloud so that the cloud can perform abnormal processing on the network data. If the network data has malicious attack features that require local processing, the data processing device directly blocks the network data from accessing the long-distance wireless communication network.
[0059] If the network data possesses suspicious attack characteristics or malicious attack characteristics requiring remote processing, the cloud device, upon receiving the network data, determines whether the data specifically exhibits suspicious attack characteristics or malicious attack characteristics requiring remote processing. If the network data possesses the first type of attack characteristic, which is a malicious attack characteristic requiring remote processing, the cloud device outputs an anomaly handling notification to the maintenance personnel of the long-distance wireless communication network, prompting them to block the network data's access to the long-distance wireless communication network. If the network data possesses the first type of attack characteristic, which is suspicious attack characteristics, the cloud device can temporarily store the network data. This data can be compared with new attack characteristics when they are subsequently released to determine whether the first type of attack characteristic data is one that needs to be blocked.
[0060] Based on the above solution, this embodiment of the invention provides a network protection system, see [link to relevant documentation]. Figure 1 This is a schematic diagram of the structure of a network protection system provided in an embodiment of the present invention. Figure 1 The network protection system shown may include a data acquisition module 101, an attack signature detection module 102, and an intrusion blocking module 103; wherein, the data acquisition module 101 is mainly used to collect network data in long-distance wireless communication networks.
[0061] In one embodiment, the long-range wireless communication network is a LoRaWAN network designed based on the long-range radio technology LoRa. The long-range wireless communication network includes LoRaWAN node devices, core network servers, and gateway devices. The network environment of the long-range wireless communication network includes wireless sensor networks or Ethernet networks.
[0062] Optionally, the network data collected by the data acquisition module 101 will differ depending on the network environment of the long-distance wireless communication network. Specifically, if the network environment of the long-distance wireless communication network is an Ethernet network, the network data refers to Ethernet data sent to the target ports of the gateway device and the core network server; if the network environment of the long-distance wireless communication network is a wireless sensor network, the network data refers to radio data related to long-distance radio technology in the long-distance wireless communication network.
[0063] In one embodiment, the attack signature detection module 102 can be connected to the data acquisition module 101. The attack signature detection module 102 is mainly used to detect attack signatures in the network data acquired by the data acquisition module 101. The attack signatures can be divided into three categories: malicious attack signatures that require remote processing, malicious attack signatures that require local processing, and suspicious attack signatures.
[0064] Optionally, the malicious attack characteristics requiring remote processing and those requiring local processing differ in different network environments. Specifically, if the network environment of the long-distance wireless communication network is an Ethernet network, the malicious attack characteristics requiring local processing include any one or more of the following: unauthorized malicious access based on known communication protocols, malicious login to the core network server or gateway device, malicious database access, and pre-defined type access to the target ports of the gateway and the core network server; if the network environment of the long-distance wireless communication network is an Ethernet network, the malicious attack characteristics requiring remote processing include any one or more of the following: malicious network access of the LoRaWAN node device in the long-distance wireless communication network, malicious attack on the LoRaWAN node device using a target vulnerability, and counting sequence replay attacks in the long-distance wireless communication network.
[0065] In one embodiment, the intrusion blocking module 103 can be connected to the attack signature detection module 102. The intrusion blocking module 103 is used to block network data from accessing the long-distance wireless communication network if the attack signature detection module 102 detects that the network data has a second type of attack signature. The second type of attack signature refers to malicious attack signatures that require local processing.
[0066] Optionally, if the attack signature detection module 102 detects that there are no attack signatures in the network data, the network data can be considered as normal network data, and the attack signature detection module 102 can transmit the network data to the long-distance wireless communication network.
[0067] In one embodiment, when blocking network data access to the long-distance wireless communication network, the intrusion blocking module 103 may perform the following steps: if the network data has the characteristics of a second type of attack, determine the number of times the network data appears within a preset time period; and block the network data based on the number of times the network data appears.
[0068] In one embodiment, when the intrusion blocking module 103 blocks network data based on the number of times the network data appears, it may perform the following steps:
[0069] If the number of times the network data appears within the preset time period is less than or equal to the number of occurrences threshold, then the network data's access to the long-distance wireless communication network is blocked.
[0070] If the number of times the network data appears within the preset time period is greater than the number threshold, and each occurrence of the network data is generated by the target device, then the target device's access to the long-distance wireless communication network is blocked.
[0071] If the number of times the network data appears within the preset time period is greater than the number threshold, and the network data appears in each instance by different devices, then the data protocol corresponding to the network data is determined, and the data protocol is repaired.
[0072] In one embodiment, the data acquisition module 101, attack signature detection module 102, and intrusion blocking module 103 can be hardware devices or code programs. These modules can be integrated into a single physical device, such as a data processing device 100. Figure 1 As shown in the diagram; alternatively, these modules can be deployed in different devices. For example, assuming the network environment of the long-distance wireless transmission network is an Ethernet network, the data acquisition module 101 can be deployed on the core network server and gateway device of the long-distance wireless transmission network; or, assuming the network environment of the long-distance wireless transmission network is a wireless sensor network, the data acquisition module 101 can be deployed on the gateway device. The attack signature detection module 102 and the intrusion blocking module 103 can also be deployed on different devices, and this embodiment of the invention does not impose specific limitations.
[0073] In one embodiment, Figure 1 The network protection system shown also includes a receiving module 104 and a processing module 105. Similarly, the receiving module 104 and processing module 105 can be hardware devices or code programs. Optionally, the receiving module 104 and processing module 105 can be integrated into a single physical device, such as a cloud device 200. Figure 1 As shown; or, the receiving module 104 and the processing module 105 may be deployed in different devices according to the specific network environment of the long-distance wireless communication network, and the embodiments of the present invention do not make specific limitations.
[0074] In one embodiment, the attack signature detection module 102 is further configured to transmit the network data to a cloud device if the network data is detected to have a first type of attack signature, wherein the first type of attack signature includes suspicious attack signatures and malicious attack signatures that require remote processing.
[0075] In one embodiment, the receiving module 104 in the cloud device can be connected to the attack signature detection module 102, and the receiving module 104 is used to receive network data transmitted by the attack signature detection module 102.
[0076] In one embodiment, the receiving module 104 is connected to the processing module 105, which is used to perform abnormal data processing on the network data according to the type of the first type of attack characteristics.
[0077] In one embodiment, the processing module 105 may include a security response module 1050 and a data analysis module 1051. When the processing module 105 performs abnormal data processing on the network data according to the type of the first type of attack characteristics:
[0078] The security response module 1050 is used to output an anomaly handling notification if the type of the first type of attack feature is a malicious attack feature that requires remote processing. The anomaly handling notification is used to instruct maintenance personnel to block the network data from accessing the long-distance wireless communication network.
[0079] The data analysis module 1051 is used to perform abnormal data storage and analysis on the network data if the type of the first type of attack feature is a suspicious attack feature.
[0080] In one embodiment, when the security response module 1050 outputs an exception handling notification if the type of the first type of attack feature is a malicious attack feature that requires remote processing, it performs the following steps:
[0081] The processing priority of the network data is determined based on the attack severity of the first type of attack characteristics on the long-distance wireless communication network; the notification method is determined based on the processing priority of the network data; and an anomaly handling notification is output according to the notification method.
[0082] In one embodiment, the processing module 105 is further configured to match the first type of attack feature with the new attack feature if a new attack feature is detected.
[0083] If the first type of attack feature successfully matches the new attack feature, then the network data is blocked using the attack blocking strategy corresponding to the new attack feature.
[0084] In one embodiment, the processing module 105 is further configured to: call an attack behavior analysis model to analyze the network data to determine whether the first type of attack feature is a malicious attack feature that needs to be blocked; if the first type of attack feature is a malicious attack feature that needs to be blocked, then add a mark to be blocked to the network data so that when the cloud device blocks the network data with the mark to be blocked, it blocks the network data from accessing the long-distance wireless communication network.
[0085] In this embodiment of the invention, after the data acquisition module 101 acquires network data from the long-distance wireless communication network, the attack feature detection module 102 performs attack feature detection on the network data. If the network data is detected to possess a first type of attack feature, the attack feature detection module 102 sends the network data to the cloud device so that the cloud device can process the network data as abnormal data. The first type of attack feature may include suspicious attack features or malicious attack features that require remote processing. If the network data is detected to possess a second type of attack feature, the intrusion detection module 103 blocks the network data from accessing the long-distance wireless communication network. The second type of attack feature refers to malicious attack features that require local processing. As can be seen from the above network data processing process, in this embodiment of the invention, the various local modules and the modules in the cloud device jointly process data containing attack features in the long-distance wireless communication network to prevent the attack features from causing malicious impact on the long-distance wireless communication network, thereby improving the security of the long-distance wireless communication network.
[0086] Based on the aforementioned network protection system, this invention provides a data processing method, see [link to relevant documentation]. Figure 2 This is a flowchart illustrating a data processing method provided in an embodiment of the present invention. Figure 2 The data processing method shown can be executed by a data processing device. Figure 2 The data processing method shown may include the following steps:
[0087] Step S201: Obtain network data from the long-distance wireless communication network and perform attack feature detection on the network data.
[0088] In one embodiment, the long-distance wireless communication network described in this invention embodiment can refer to a type of low-power wide-area network (LPWAN). LPWAN, also known as low-power network or LPN, is a wireless network used in the Internet of Things (e.g., battery-powered sensors) that can perform long-distance communication at low bit rates.
[0089] In one embodiment, the long-range wireless communication network described in this invention can refer to an LPWAN network designed using the LoRaWAN communication protocol based on the long-range radio technology LoRa. The long-range wireless communication network may include LoRaWAN node devices, a core network server, and gateway devices. Specifically, the network environment of the long-range wireless communication network may include a wireless sensor network or an Ethernet network.
[0090] In long-range wireless communication networks, when a LoRaWAN node device wants to communicate, it can initiate an encrypted communication process using a pre-programmed communication key (ABP, Activation by Personalization) without needing over-the-air activation. The pre-programmed communication key (ABP) is embedded in the LoRaWAN node device registered in the long-range wireless communication network.
[0091] Any LoRaWAN node device connects to the long-distance wireless communication network via an over-the-air activation (OTAA) method. When any LoRaWAN node device is powered on, it communicates with the core network server to negotiate a communication encryption key, thereby activating the device and enabling it to connect to the network.
[0092] In one embodiment, the network data in a long-range wireless communication network differs depending on the network environment. Specifically, if the network environment of the long-range wireless communication network is an Ethernet network, then the network data refers to the network data sent to the target ports of the gateway device and the core network server; if the network environment of the long-range wireless communication network is a wireless sensor network, then the network data refers to the radio data related to long-range radio technology in the long-range wireless communication network.
[0093] After acquiring network data from a long-distance wireless communication network, the data processing device further performs attack signature detection on the network data to determine whether the network data is secure.
[0094] In specific implementation, if the data processing device is performing attack feature detection on network data: if no attack features are found in the network data, the data processing device will transmit the network data to the corresponding device in the long-distance wireless communication network so that the network data can access the long-distance wireless communication network; if the network data has the first type of attack features, then step S202 will be executed, that is, the network data will be transmitted to the cloud device so that the cloud device can perform abnormal data processing on the network data. The first type of attack features may include suspicious attack features or malicious attack features that need to be processed remotely. Malicious attack features that need to be processed remotely can be understood as known attack features that the data processing device cannot block. Data with such attack features usually requires human intervention to block its access to the long-distance wireless communication network.
[0095] If the network data has the characteristics of the second type of attack, then step S203 is executed, that is, the network data is blocked from accessing the long-distance wireless communication network. The second type of attack characteristics mentioned here refers to malicious attack characteristics that need to be processed locally. Local refers to the data processing device that detects the attack characteristics of the network data. Malicious attack characteristics that need to be processed locally can be understood as known attack characteristics that the data processing device can block. Network data with this type of attack characteristics can usually be automatically blocked from accessing the long-distance wireless communication network by the data processing device.
[0096] In one embodiment, when the long-distance wireless communication network is in different network environments, the malicious attack characteristics that need to be processed remotely and those that need to be processed locally are different. Specifically, if the network environment of the long-distance wireless communication network is an Ethernet network, the malicious attack characteristics that need to be processed locally may include any one or more of the following: unauthorized malicious access based on known communication protocols, malicious login to the core network server, malicious database access, and access to target ports of gateway devices and core network servers of a preset type.
[0097] The known communication protocols may include any one or more of the following: Message Queuing Telemetry Transport (MQTT), Google Remote Procedure Call Protocol (gRPC), and Hypertext Transfer Protocol (HTTP). Preset access types may include access to send specified data, etc.
[0098] The above are just some examples of malicious attack features that may require local processing in Ethernet networks. In practical applications, depending on the application scenario and the application network, there may be other malicious attack features that require local processing, which will not be listed one by one in this embodiment of the invention.
[0099] In one embodiment, if the network environment of the long-distance wireless communication network is a wireless sensor network, the malicious attack characteristics that need to be handled remotely may include any one or more of the following: malicious network access of the LoRaWAN node device in the long-distance wireless communication network, malicious attack on the LoRaWAN node device using a target vulnerability, and counting sequence replay attack in the long-distance wireless communication network. The target vulnerability may refer to CVE-2020-11068, etc.
[0100] It should be understood that the above are only some malicious attack characteristics that need to be remotely processed in wireless sensor networks. In practical applications, depending on the application scenario and the application network, there may be other malicious attack characteristics that need to be remotely processed, which are not listed one by one in this embodiment of the invention.
[0101] Step S202: If the network data has the characteristics of a first type of attack, the network data is transmitted to the cloud device so that the cloud device can perform abnormal data processing on the network data. The first type of attack characteristics includes suspicious attack characteristics or malicious attack characteristics that require remote processing.
[0102] As mentioned above, if the data processing device discovers that the network data has the characteristics of the first type of attack during the attack feature detection of the network data, since the first type of attack feature can refer to suspicious attack features or malicious attack features that need to be processed locally, the data processing device cannot block either of these two types of attack features. Therefore, the data processing device needs to transmit the network data to the cloud device to instruct the cloud device to perform abnormal data processing on the network data.
[0103] In one embodiment, after receiving network data sent by the data processing device, the cloud device can analyze the type of the first type of attack feature in the network data. If the type of the first type of attack feature is a suspicious attack feature, it indicates that it is not yet certain whether some blocking measures need to be taken to block the network data from accessing the long-distance wireless communication network. In this case, the cloud device can store the first type of attack feature so that if a new attack feature is released later, the cloud device can match the first type of attack feature with the new attack feature. If the match is successful, it is determined that the first type of attack feature needs to be blocked. At this time, the cloud device can block the network data from accessing the long-distance wireless communication network.
[0104] If the type of the first type of attack feature is a malicious attack feature that requires remote processing, as mentioned above, malicious attack features that require remote processing are usually attack features that require maintenance personnel to intervene and block. Therefore, the cloud device can output an anomaly handling notification, which is used to instruct maintenance personnel to block network data access to the long-distance wireless communication network.
[0105] Step S203: If the network data has the characteristics of the second type of attack, then block the network data from accessing the long-distance wireless communication network. The second type of characteristics includes malicious attack characteristics that need to be processed locally.
[0106] As mentioned above, network data with malicious attack characteristics that require local processing is usually data that data processing devices can automatically block. Therefore, if the data processing device detects that network data has the characteristics of the second type of attack, it will directly block the network data from accessing the long-distance wireless communication network to ensure the security of the long-distance wireless communication network.
[0107] In one embodiment, if network data exhibits characteristics of a second type of attack, then blocking the network data's access to the long-distance wireless communication network includes: if network data exhibits characteristics of a second type of attack, determining the number of times the network data appears within a preset time period; and blocking the network data based on the number of times the network data appears.
[0108] In specific implementation, if the number of times the network data appears within the preset time period is less than or equal to a threshold, then the network data's access to the long-distance wireless communication network is blocked; if the number of times the network data appears within the preset time period is greater than the threshold, and each occurrence of the network data is generated by the target device, then the target device's access to the long-distance wireless communication network is blocked; if the number of times the network data appears within the preset time period is greater than the threshold, and each occurrence of the network data is generated by a different device, then the data protocol corresponding to the network data is determined, and the data protocol is repaired.
[0109] The aforementioned attack threshold can be determined by the attack tolerance of the long-distance wireless communication network by the data processing device. For example, if the network security of the long-distance wireless communication network is good, a few malicious attacks will not have a significant impact on the network, so the attack tolerance of the network is likely good, and the attack threshold can be set slightly higher. Conversely, if the network security of the long-distance wireless communication network is poor, a few malicious attacks will cause significant damage, so the attack tolerance of the network is not good, and the attack threshold should be set lower. It should be understood that the above is only one embodiment of determining the attack threshold according to the present invention. In practical applications, the attack threshold should be set according to the specific network conditions.
[0110] Optionally, if the number of times the network data appears within the preset time period is less than or equal to the number of occurrences threshold, it indicates that the data that attacks the long-distance wireless communication network only appears occasionally or infrequently, and may not be intentional. In this case, the network data's access to the long-distance wireless communication network can be directly blocked.
[0111] If the number of times the network data appears within the preset time period exceeds the threshold, and each occurrence of the network data is generated by the target device, it indicates that this data, which exhibits attack behavior against the long-distance wireless communication network, appears frequently and is generated by the target device. This device may be specifically designed to attack the long-distance wireless communication network and is therefore an insecure device. In this case, to ensure the security of the long-distance wireless communication network, the target device's access to the long-distance wireless communication network can be blocked.
[0112] If the number of times the network data appears within the preset time period is greater than the number threshold, and each occurrence of the network data is generated by a different device, it indicates that the different devices all exhibit the characteristics of a second type of attack when generating network data sent to the long-distance wireless communication network based on the data protocol corresponding to the network data. This may be because the data protocol corresponding to the network data has been attacked, and in this case, the data protocol can be repaired.
[0113] In one embodiment, the data processing device may include a data acquisition module, an attack signature detection module, and an intrusion blocking module. The acquisition of network data in the long-distance wireless communication network in step S201 may be performed by the data acquisition module in the data processing device; the attack signature detection of the network data in step S201 may be performed by the attack signature detection module in the data processing device; if the network data possesses a first type of feature in step S202, transmitting the network data to the cloud device may be performed by the attack detection module; if the network data possesses a second type of attack signature in step S203, blocking access to the long-distance wireless communication network by the second type of attack signature may be performed by the intrusion detection module.
[0114] Based on the above description, this embodiment of the invention provides a flowchart of a data processing device performing network protection, see [link to flowchart]. Figure 3 As shown. When starting network protection, the network environment of the long-distance wireless communication network is detected. If it is an Ethernet network, the data acquisition module collects Ethernet data sent to the target ports of the gateway device and the core network server; if it is a wireless sensor network, the data acquisition module collects radio data related to long-distance wireless communication technology in the long-distance wireless communication network.
[0115] Then, the attack signature detection module performs attack signature detection on the network data collected by the data acquisition module. Specifically, it detects whether malicious attack signatures exist in the network data. If so, it further checks whether the malicious attack signature needs local processing. If so, it notifies the intrusion detection module, which blocks the network data from accessing the long-distance wireless communication network and discards the network data. If the malicious attack signatures in the network data require remote processing, the attack signature detection module transmits the network data to a cloud device for abnormal data processing.
[0116] Optionally, if suspicious attack characteristics are detected in the network data, the network data is transmitted to a cloud device for abnormal data processing.
[0117] If no attack signatures are detected in the network data, the network data is allowed to access the long-distance wireless communication network.
[0118] In one embodiment, malicious attack signature detection of network data can be performed by... Figure 4 As shown. If the network data is Ethernet data, the malicious attack features that can be detected during attack feature detection and require local processing may include: unauthorized malicious access based on the MQTT protocol, malicious attacks based on the gRPC protocol, malicious brute-force login to the core network server or gateway device, malicious database access, and preset type access to the target ports of the gateway device and the core network server (or malicious access to common high-risk ports); if the network data is radio data, the malicious attack features that can be detected during attack feature detection and require remote processing may include: malicious network access by LoRaWAN node devices, malicious attacks on the LoRaWAN node devices using target vulnerabilities, and long-distance wireless communication network counting sequence replay attacks.
[0119] The following is a brief explanation of how the aforementioned malicious attack characteristics can be detected. In an Ethernet environment, a device typically subscribes to one or two related messages. If the MQTT-based network data sent to the core network server indicates subscription to all messages in the long-distance wireless communication network, or if the network data does not include a username or password, then the network data can be considered to have the characteristics of an unauthorized malicious access attack based on the MQTT protocol.
[0120] Similarly, if network data sent to the core network server based on the gRPC protocol is not authenticated by the core network server or does not contain a username and password, then the network data can be considered to have the characteristics of a malicious attack based on the gRPC protocol.
[0121] Optionally, if multiple login requests to the core network server or gateway device are collected within a certain period of time, and the usernames and passwords carried in these login requests are randomly generated, then the network data carrying the login requests can be considered to have the characteristics of a malicious attack that maliciously brute-forces login to the core network server or gateway device.
[0122] Optionally, if a network data sent to a core network server for accessing a database on the core network server does not include a username or password, the network data can be considered to have malicious attack characteristics of malicious database access.
[0123] In one embodiment, the data processing device predefines target ports in gateway devices or core network servers, such as FTP ports (ports used for file transfer), SSH ports (ports used for logging into devices), and some web ports. These target ports can be considered as predefined high-risk ports. When network data is detected being written to these target ports (in this embodiment, writing data can be considered as a preset type of access), it is considered that this type of network data has malicious attack characteristics of preset type access to the target ports of gateway devices and core network servers.
[0124] In wireless sensor networks, once the long-distance wireless communication network is established, it is possible to pre-determine which LoRaWAN node devices can join the network, or in other words, which nodes are legitimate. If a network access request is detected in the network data of the long-distance wireless communication network, but the request is not initiated by a legitimate node device, then the network data can be considered to have malicious attack characteristics of LoRaWAN node devices maliciously joining the network.
[0125] Optionally, a malicious attack targeting a vulnerability corresponds to a vulnerability characteristic that affects data packets. Whether network data possesses the characteristics of a malicious attack targeting a vulnerability can be determined by detecting the network data packets. For example, the vulnerability characteristic corresponding to a malicious attack targeting a vulnerability might be that the data packets are relatively short. When short network data packets are detected, it can be considered that the network data possesses the malicious attack characteristics of a malicious attack targeting the LoRaWAN node device.
[0126] A long-range wireless communication network counting sequence replay attack refers to the continuous reception of network data with the same sequence number within a certain period of time in a long-range wireless communication network; or the continuous reception of network data that does not conform to the current environment. In this case, the network data can be considered to have the malicious attack characteristics of a long-range wireless communication network counting sequence replay attack.
[0127] In this embodiment of the invention, a data processing device acquires network data from a long-distance wireless communication network and performs attack feature detection on the network data. If the network data is detected to possess a first type of attack feature, it is sent to a cloud device for abnormal data processing. The first type of attack feature includes suspicious attack features or malicious attack features requiring remote processing. If the network data is detected to possess a second type of attack feature, access to the long-distance wireless communication network by the network data is blocked. The second type of attack feature refers to malicious attack features requiring local processing. As can be seen from the above network data processing process, in this embodiment of the invention, the data processing device and the cloud device jointly protect or block network data with attack features in a long-distance wireless communication network, preventing the network data with attack features from maliciously affecting the long-distance wireless communication network, thereby improving the security of the long-distance wireless communication network.
[0128] Based on the data processing method described above, this embodiment of the invention provides another data processing method. See also... Figure 5 This is a flowchart illustrating another data processing method provided in an embodiment of the present invention. Figure 5 The data processing method shown can be executed by cloud devices. Figure 5 The data processing method shown may include the following steps:
[0129] Step S501: Receive network data from a long-distance wireless communication network sent by a data processing device. The network data has a first type of attack characteristic, which includes suspicious attack characteristics or malicious attack characteristics that require remote processing.
[0130] In one embodiment, as described above, after acquiring network data from a long-distance wireless communication network, the data processing device performs attack signature detection on the network data. If a first type of attack signature is detected in the network data, the data processing device then transmits the network data to the cloud device.
[0131] Optionally, for details on how the data processing device performs attack signature detection on network data, please refer to [link to relevant documentation]. Figure 2 The relevant descriptions in step S201 of the embodiment will not be repeated here.
[0132] Step S502: Perform abnormal data processing on network data according to the type of the first type of attack characteristics.
[0133] As mentioned above, the first type of attack signature can be either a suspicious attack signature or a malicious attack signature requiring remote processing. The cloud device handles network data differently depending on the type of attack signature. In specific implementation, if the first type of attack signature is a malicious attack signature requiring remote processing, an anomaly handling notification is output. This notification instructs maintenance personnel to block network data access to the long-distance wireless communication network. If the first type of attack signature is a suspicious attack signature, the network data is stored abnormally.
[0134] As should be understood from the foregoing, network data with malicious attack characteristics that require remote processing needs to be intervened by maintenance personnel to prevent it from accessing the long-distance wireless communication network. Therefore, if the cloud device determines that the type of the first type of attack characteristics is a malicious attack characteristic that requires remote processing, it will output an abnormal handling notification prompting maintenance personnel to intervene and block it.
[0135] Optionally, the anomaly handling notification may include the characteristics of a malicious attack requiring remote processing, along with relevant information such as the impact of the malicious attack on the long-distance wireless communication network and the number of times the malicious attack occurred within a preset time period. This way, if there is a large amount of network data that maintenance personnel need to block, they can determine a blocking priority for that network data based on the impact of the malicious attack characteristics on the long-distance wireless communication network, allowing them to prioritize network data with a greater impact on the long-distance wireless communication network. Furthermore, maintenance personnel can also determine whether to take blocking measures against the device sending the network data or repair measures against the data protocol generating the network data based on the number of times the network with the malicious attack characteristics requiring remote processing occurs within the preset time period.
[0136] In one embodiment, if the type of the first type of attack feature is a malicious attack feature that requires remote processing, then an anomaly handling notification is output, including: determining the processing priority of the network data based on the degree of attack of the first type of attack feature on the long-distance wireless communication network; determining the notification method based on the processing priority of the network data; and outputting the anomaly handling notification according to the notification method.
[0137] In practice, the more severe the attack on a long-distance wireless communication network by the first type of attack characteristics, the higher the processing priority of the network data. If the processing priority of the network data is high, the notification method can be telephone notification; if the processing priority of the network data is low, the notification method can be SMS or email notification.
[0138] Outputting an exception handling notification according to the notification method can mean: if the notification method is telephone notification, then call the maintenance personnel to inform them of the relevant situation; if the notification method is SMS or email notification, then send a message or email to the maintenance personnel, explaining the relevant situation in the SMS or email.
[0139] In one embodiment, if the type of the first type of attack feature is a suspicious attack feature, after storing the network data as abnormal data, the method further includes: if a new attack feature is detected, matching the first type of attack feature with the new attack feature; if the first type of attack feature successfully matches the new attack feature, then using the attack blocking strategy corresponding to the new attack feature to block the network data.
[0140] Optionally, the matching of the first attack signature with the new attack signature can be performed automatically by the cloud device, or the cloud device can send the new attack signature to the data processing device and instruct the data processing device to perform the matching. If the data processing device performs the matching, after determining that the first attack signature matches the new attack signature, it must also determine whether the data processing device can block the first attack signature locally. If so, it blocks it directly; otherwise, it sends it to the cloud device to instruct the cloud device to notify maintenance personnel to perform blocking.
[0141] In one embodiment, if the first type of attack feature is a suspicious attack feature, after storing the network data as abnormal data, an attack behavior analysis model can be invoked to analyze the network data to determine whether the first type of attack feature is a malicious attack feature that needs to be blocked. If the first type of attack feature is a malicious attack feature that needs to be blocked, a mark to be blocked can be added to the network data so that when the cloud device blocks the network data with the mark to be blocked, it blocks the network data from accessing the long-distance wireless communication network. It should be noted that the cloud device may need to detect multiple network data, so it may not immediately process the network data after detecting that the first type of attack feature of the network data is a malicious attack feature that needs to be blocked. In order to know which network data needs to be blocked and which needs to continue to be stored locally when the network data blocking process is started after all network data detection is completed, a mark needs to be added to the network data.
[0142] In other embodiments, when the cloud device blocks the network data from accessing the long-distance wireless communication network, a feasible implementation method is as follows: the cloud device can inform the data processing device of the analysis results of the network data, so that the data processing device can determine whether the first type of attack characteristics are blocked by the data processing device. If so, the data processing device can perform blocking processing; if not, the cloud device can output an anomaly handling notification to the maintenance personnel so that the maintenance personnel can block the network data from accessing the long-distance wireless communication network.
[0143] In one embodiment, the cloud device may include a receiving module and a processing module. The receiving module may be responsible for receiving network data from the long-distance wireless communication network sent by the data processing device in step S501. The processing module may be responsible for performing abnormal data processing on the network data according to the type of the first type of attack characteristics in step S502.
[0144] In one embodiment, the processing module may specifically include a security response module and a data analysis module. If the type of the first type of attack feature is a malicious attack feature that requires remote processing, the output of the anomaly handling notification is performed by the security response module. If the type of the first type of attack feature is a suspicious attack feature, the abnormal data storage and analysis of the network data may be performed by the data analysis module.
[0145] Based on the above description, this embodiment of the invention provides a flowchart of a cloud device performing network protection, see [link to flowchart]. Figure 6 As shown. After the receiving module of the cloud device receives network data from the long-distance wireless communication network, the processing module determines the type of the first type of attack feature in the network data. If the first type of attack feature is a malicious attack feature that requires remote processing, the security response module in the processing module outputs an anomaly handling notification; if the first type of attack feature is not a malicious attack feature that requires remote processing, that is, if the first type of attack feature is a suspicious attack feature, the data analysis module in the processing module performs anomaly analysis and archives the network data.
[0146] In this embodiment of the invention, after the cloud device receives network data from the long-distance wireless network sent by the data processing device, it performs anomaly processing on the network data according to the type of the first type of attack feature in the network data. This enables the cloud device and the data processing device to jointly block the attack features of the network data, thereby improving the security of the long-distance wireless communication network.
[0147] Based on the above-described data processing method embodiments and network protection system embodiments, this invention also provides a computer device, see [link to related documentation]. Figure 7 This is a schematic diagram of the structure of a computer device provided in an embodiment of the present invention. Figure 7The computer device shown includes at least a processor 701, an input interface 702, an output interface 703, and a computer storage medium 704. The processor 701, input interface 702, output interface 703, and computer storage medium 704 can be connected via a bus or other means.
[0148] In one embodiment, the computer storage medium 704 may be stored in the memory of a computer device. The computer storage medium 704 is used to store a first computer program, and the processor 01 is used to execute the first computer program stored in the computer storage medium 704. The processor 701 (or CPU (Central Processing Unit)) is the computing and control core of the computing device, and is adapted to implement one or more first computer programs, specifically adapted to load and execute them.
[0149] The system acquires network data from a long-distance wireless communication network and performs attack signature detection on the network data. If the network data exhibits a first type of attack signature, the network data is transmitted to a cloud device for abnormal data processing. The first type of attack signature refers to suspicious attack signatures or malicious attack signatures requiring remote processing. If the network data exhibits a second type of attack signature, the system blocks the network data from accessing the long-distance wireless communication network. The second type of attack signature refers to malicious attack signatures requiring local processing.
[0150] In other embodiments, the computer storage medium 704 may be used to store a second computer program, and the processor 701 is adapted to implement the second computer program, specifically to load and execute it.
[0151] The system receives network data from a long-distance wireless communication network sent by a data processing device. The network data possesses first-type attack characteristics, which include suspicious attack characteristics or malicious attack characteristics requiring remote processing. The first-type attack characteristics are determined by the data processing device when detecting attack characteristics in the network data. Based on the type of the first-type attack characteristics, the system performs abnormal data processing on the network data.
[0152] In this embodiment of the invention, the data processing device acquires network data from a long-distance wireless communication network and performs attack feature detection on the network data. If the network data is detected to possess a first type of attack feature, it is sent to a cloud device so that the cloud device can perform abnormal data processing on the network data. The first type of attack feature includes suspicious attack features or malicious attack features that require remote processing. If the network data is detected to possess a second type of attack feature, access to the long-distance wireless communication network by the network data is blocked. The second type of attack feature refers to malicious attack features that require local processing. As can be seen from the above network data processing process, in this embodiment of the invention, the data processing device and the cloud device jointly protect or block network data with attack features in a long-distance wireless communication network, preventing the network data with attack features from causing malicious impact on the long-distance wireless communication network, thereby improving the security of the long-distance wireless communication network.
[0153] This invention also provides a computer storage medium (memory), which is a memory device in a computer device used to store programs and data. It is understood that the computer storage medium here can include the computer device's built-in storage medium, or it can include extended storage media supported by the computer device. The computer storage medium provides storage space, which stores the operating system of the computer device. Furthermore, this storage space also stores one or more first or second computer programs suitable for loading and execution by the processor 701. It should be noted that the computer storage medium here can be high-speed RAM, or it can be non-volatile memory, such as at least one disk storage device; optionally, it can also be at least one computer storage medium located remotely from the aforementioned processor.
[0154] In one embodiment, the computer storage medium may be loaded and executed by the processor 701, containing one or more first computer programs, to achieve the above-mentioned purpose. Figure 2 The data processing method is illustrated. In specific implementation, one or more first computer programs in the computer storage medium are loaded by processor 701 and executed as follows:
[0155] The system acquires network data from a long-distance wireless communication network and performs attack feature detection on the network data. If the network data possesses a first type of attack feature, the network data is transmitted to a cloud device so that the cloud device can perform abnormal data processing on the network data. The first type of attack feature refers to suspicious attack features or malicious attack features that require remote processing. If the network data possesses a second type of attack feature, the system blocks the network data from accessing the long-distance wireless communication network. The second type of attack feature refers to malicious attack features that require local processing.
[0156] In one embodiment, the long-range wireless communication network is a LoRaWAN network designed based on the long-range radio technology LoRa. The long-range wireless communication network includes LoRaWAN node devices, core network servers, and gateway devices. The network environment of the long-range wireless communication network includes wireless sensor networks or Ethernet networks.
[0157] If the network environment of the long-distance wireless communication network is an Ethernet network, then the network data refers to the target port Ethernet data sent to the gateway device and the core network server.
[0158] If the network environment of the long-distance wireless communication network is a wireless sensor network, then the network data refers to the radio data related to long-distance radio technology in the long-distance wireless communication network.
[0159] In one embodiment, if the network environment of the long-distance wireless communication network is an Ethernet network, the malicious attack features that need to be processed locally include any one or more of the following: unauthorized malicious access based on known communication protocols, malicious login to the core network server or the gateway device, malicious database access, and access to the target ports of the gateway device and the core network server of a preset type.
[0160] If the network environment of the long-distance wireless communication network is an Ethernet network, the malicious attack features that need to be remotely processed include any one or more of the following: malicious network access of the LoRaWAN node device in the long-distance wireless communication network, malicious attack on the LoRaWAN node device using a target vulnerability, and long-distance wireless communication network counting sequence replay attack.
[0161] In one embodiment, when the processor 701 blocks the network data from accessing the long-distance wireless communication network if the network data possesses the characteristics of a second type of attack, it performs the following steps:
[0162] If the network data exhibits characteristics of a second type of attack, the number of times the network data appears within a preset time period is determined; the network data is then blocked based on the number of times it appears.
[0163] In one embodiment, when the processor 701 blocks network data based on the number of times the network data appears, it performs the following steps:
[0164] If the number of times the network data appears within the preset time period is less than or equal to the number of occurrences threshold, then the network data's access to the long-distance wireless communication network is blocked.
[0165] If the number of times the network data appears within the preset time period is greater than the number threshold, and each occurrence of the network data is generated by the target device, then the target device's access to the long-distance wireless communication network is blocked.
[0166] If the number of times the network data appears within the preset time period is greater than the number threshold, and the network data appears in each instance by different devices, then the data protocol corresponding to the network data is determined, and the data protocol is repaired.
[0167] In this embodiment of the invention, when the processor 701 of the aforementioned computer device executes the first computer program, the computer device can be equivalent to the aforementioned data processing device. The data processing device acquires network data in the long-distance wireless communication network and performs attack feature detection on the network data. If the network data is detected to possess a first type of attack feature, the network data is sent to the cloud device so that the cloud device can perform abnormal data processing on the network data. The first type of attack feature includes suspicious attack features or malicious attack features that require remote processing. If the network data is detected to possess a second type of attack feature, access to the long-distance wireless communication network by the network data is blocked. The second type of attack feature refers to malicious attack features that require local processing. As can be seen from the above network data processing process, in this embodiment of the invention, the data processing device and the cloud device jointly protect or block network data with attack features in the long-distance wireless communication network to prevent network data with attack features from causing malicious impact on the long-distance wireless communication network, thereby improving the security of the long-distance wireless communication network.
[0168] In other embodiments, the computer storage medium may be loaded and executed by the processor 701 of one or more second computer programs stored in the computer storage medium to achieve the above-described purpose. Figure 5 The data processing method is illustrated. In specific implementation, one or more second computer programs stored in the computer storage medium are loaded by processor 701 and executed as follows:
[0169] The system receives network data from a long-distance wireless communication network sent by a data processing device. The network data has a first type of attack characteristic, which includes suspicious attack characteristics or malicious attack characteristics that require remote processing. The first type of attack characteristic is determined by the data processing device when it performs attack characteristic detection on the network data. Based on the type of the first type of attack characteristic, the system performs abnormal data processing on the network data.
[0170] In one embodiment, when the processor 701 performs abnormal data processing on the network data according to the type of the first type of attack characteristics, it executes the following steps:
[0171] If the type of the first type of attack feature is a malicious attack feature that requires remote processing, an anomaly handling notification is output. The anomaly handling notification is used to instruct maintenance personnel to block the network data from accessing the long-distance wireless communication network.
[0172] If the first type of attack feature is a suspicious attack feature, then the network data will be stored and analyzed as abnormal data.
[0173] In one embodiment, when the processor 701 outputs an exception handling notification if the type of the first type of attack feature is a malicious attack feature that requires remote processing, the processor 701 performs the following steps:
[0174] The processing priority of the network data is determined based on the degree of attack on the long-distance wireless communication network according to the attack characteristics of the first type of attack.
[0175] The notification method is determined based on the processing priority of the network data.
[0176] Output the exception handling notification according to the notification method described above.
[0177] In one embodiment, if the type of the first type of attack feature is a suspicious attack feature, after storing the network data as abnormal data, the processor 701 is further configured to, if a new attack feature is detected, match the first type of attack feature with the new attack feature; if the first type of attack feature matches the new attack feature successfully, then use the attack blocking strategy corresponding to the new attack feature to block the network data.
[0178] In one embodiment, if the type of the first type of attack feature is a suspicious attack feature, after storing the network data as abnormal data, the processor 701 is further configured to:
[0179] The attack behavior analysis model is invoked to analyze the network data to determine whether the first type of attack characteristics are malicious attack characteristics that need to be blocked.
[0180] If the first type of attack characteristics are malicious attack characteristics that need to be blocked, then a mark to be blocked is added to the network data so that when the cloud device blocks the network data with the mark to be blocked, it blocks the network data from accessing the long-distance wireless communication network.
[0181] In this embodiment of the invention, when the processor 701 of the aforementioned computer device executes the second computer program in the computer storage medium, the computer device is equivalent to the aforementioned cloud device. After receiving network data from the long-distance wireless network sent by the data processing device, the cloud device performs anomaly processing on the network data according to the type of the first type of attack feature in the network data. This enables the cloud device and the data processing device to jointly block attack features from the network data, thereby improving the security of the long-distance wireless communication network.
[0182] According to one aspect of this application, embodiments of the present invention also provide a computer product or computer program, the computer product or computer program including a first computer program stored in a computer storage medium. A processor 701 reads the first computer program from the computer storage medium, causing the computer device to perform the following steps:
[0183] The system acquires network data from a long-distance wireless communication network and performs attack signature detection on the network data. If the network data exhibits a first type of attack signature, the network data is transmitted to a cloud device for abnormal data processing. The first type of attack signature refers to suspicious attack signatures or malicious attack signatures requiring remote processing. If the network data exhibits a second type of attack signature, the system blocks the network data from accessing the long-distance wireless communication network. The second type of attack signature refers to malicious attack signatures requiring local processing.
[0184] Alternatively, the aforementioned computer product or computer program may include a second computer program stored in a computer storage medium. The processor 701 reads the second computer program from the computer storage medium, causing the computer device to perform the following steps: receiving network data from a long-distance wireless communication network transmitted by a data processing device, the network data possessing a first type of attack characteristic, the first type of attack characteristic including suspicious attack characteristics or malicious attack characteristics requiring remote processing, the first type of attack characteristic being determined by the data processing device during attack characteristic detection of the network data; and performing abnormal data processing on the network data according to the type of the first type of attack characteristic.
[0185] In this embodiment of the invention, the data processing device acquires network data from a long-distance wireless communication network and performs attack feature detection on the network data. If the network data is detected to possess a first type of attack feature, it is sent to a cloud device so that the cloud device can perform abnormal data processing on the network data. The first type of attack feature includes suspicious attack features or malicious attack features that require remote processing. If the network data is detected to possess a second type of attack feature, access to the long-distance wireless communication network by the network data is blocked. The second type of attack feature refers to malicious attack features that require local processing. As can be seen from the above network data processing process, in this embodiment of the invention, the data processing device and the cloud device jointly protect or block network data with attack features in a long-distance wireless communication network, preventing the network data with attack features from causing malicious impact on the long-distance wireless communication network, thereby improving the security of the long-distance wireless communication network.
Claims
1. A data processing method, characterized by, The data processing method is executed by a data processing device, and the method includes: Acquire network data from a long-distance wireless communication network and perform attack feature detection on the network data; If the network data possesses a first type of attack characteristic, the network data is transmitted to a cloud device so that the cloud device can perform abnormal data processing on the network data. The first type of attack characteristic refers to a suspicious attack characteristic or a malicious attack characteristic requiring remote processing. The abnormal data processing of the network data by the cloud device includes: if the type of the first type of attack characteristic is a malicious attack characteristic requiring remote processing, the cloud device outputs an abnormal processing notification, which instructs maintenance personnel to block the network data from accessing the long-distance wireless communication network; wherein, the abnormal processing notification includes the malicious attack characteristic requiring remote processing and related information of the malicious attack characteristic requiring remote processing, including the impact of the malicious attack characteristic requiring remote processing on the long-distance wireless communication network; the maintenance personnel determine the blocking priority for the network data based on the impact of the malicious attack characteristic requiring remote processing on the long-distance wireless communication network; if the type of the first type of attack characteristic is a suspicious attack characteristic, the cloud device performs abnormal data storage and analysis on the network data. If the network data exhibits the characteristics of the second type of attack, then the network data's access to the long-distance wireless communication network is blocked; the second type of attack characteristics refers to malicious attack characteristics that require local processing. Wherein, after storing abnormal network data, if the cloud device detects the release of new attack characteristics, it sends the new attack characteristics to the data processing device and instructs the data processing device to match the first type of attack characteristics with the new attack characteristics; after determining that the first type of attack characteristics matches the new attack characteristics, the data processing device determines whether the first type of attack characteristics can be blocked locally by the data processing device. If so, it blocks the network data; if not, it instructs the cloud device to notify maintenance personnel to block the network data. Specifically, after storing abnormal network data, the cloud device calls an attack behavior analysis model to analyze the network data to determine whether the first type of attack feature is a malicious attack feature that needs to be blocked. If the first type of attack feature is determined to be a malicious attack feature that needs to be blocked, the cloud device adds a mark to the network data to be blocked. When blocking the network data with the mark to be blocked, the cloud device informs the data processing device of the analysis results of the network data. The data processing device then determines whether the first type of attack feature can be blocked by the data processing device. If it is, the network data is blocked. If not, the cloud device is instructed to notify maintenance personnel to block the data.
2. The method of claim 1, wherein, The long-range wireless communication network is a LoRaWAN network designed based on the long-range radio technology LoRa. The long-range wireless communication network includes LoRaWAN node devices, core network servers, and gateway devices. The network environment of the long-range wireless communication network includes wireless sensor networks or Ethernet networks. If the network environment of the long-distance wireless communication network is the Ethernet network, then the network data is Ethernet data sent to the target ports of the gateway device and the core network server; If the network environment of the long-distance wireless communication network is the wireless sensor network, then the network data is radio data related to long-distance radio technology in the long-distance wireless communication network.
3. The method of claim 2, wherein, The method further includes: If the network environment of the long-distance wireless communication network is the Ethernet network, then the malicious attack features that need to be processed locally include any one or more of the following: unauthorized malicious access based on known communication protocols, malicious login to the core network server or the gateway device, malicious database access, and access to the target ports of the gateway device and the core network server of a preset type. If the network environment of the long-distance wireless communication network is an Ethernet network, the malicious attack features that need to be remotely processed include any one or more of the following: malicious network access of the LoRaWAN node device in the long-distance wireless communication network, malicious attack on the LoRaWAN node device using a target vulnerability, and long-distance wireless communication network counting sequence replay attack.
4. The method of claim 1, wherein, If the network data possesses characteristics of a second type of attack, then blocking the network data's access to the long-distance wireless communication network includes: If the network data has the characteristics of a second type of attack, then determine the number of times the network data appears within a preset time period; The network data is blocked based on the number of times it appears.
5. The method of claim 4, wherein, The process of blocking network data based on the frequency of its occurrence includes: If the number of times the network data appears within the preset time period is less than or equal to the number of occurrences threshold, then the network data's access to the long-distance wireless communication network is blocked. If the number of times the network data appears within the preset time period is greater than the number threshold, and each occurrence of the network data is generated by the target device, then the target device's access to the long-distance wireless communication network is blocked. If the number of times the network data appears within the preset time period is greater than the number threshold, and the network data appears in each instance by different devices, then the data protocol corresponding to the network data is determined, and the data protocol is repaired.
6. A data processing method, characterized by, The data processing method is executed by a cloud device, and the method includes: The data processing device receives network data from a long-distance wireless communication network. The network data has a first type of attack characteristics, which includes suspicious attack characteristics or malicious attack characteristics that require remote processing. The first type of attack characteristics are determined by the data processing device when it performs attack characteristic detection on the network data. If the first type of attack feature is a malicious attack feature requiring remote processing, an anomaly handling notification is output. This notification instructs maintenance personnel to block network data access to the long-distance wireless communication network. The notification includes the malicious attack feature requiring remote processing and related information, including the impact of the malicious attack feature on the long-distance wireless communication network. Maintenance personnel determine the blocking priority for the network data based on the impact of the malicious attack feature on the long-distance wireless communication network. If the type of the first type of attack feature is a suspicious attack feature, then the network data is stored and analyzed as abnormal data. Specifically, after storing abnormal network data, if a new attack signature is detected, the new attack signature is sent to the data processing device, and the data processing device is instructed to match the first type of attack signature with the new attack signature. After determining that the first type of attack signature matches the new attack signature, the data processing device determines whether the first type of attack signature can be blocked locally by the data processing device. If it is, the network data is blocked; if not, the cloud device is instructed to notify maintenance personnel to block the network data. Specifically, after storing the network data as abnormal data, an attack behavior analysis model is invoked to analyze the network data to determine whether the first type of attack feature is a malicious attack feature that needs to be blocked. If the first type of attack feature is determined to be a malicious attack feature that needs to be blocked, a mark to be blocked is added to the network data. When blocking the network data marked as needing to be blocked, the analysis results of the network data are communicated to the data processing device so that the data processing device can determine whether the first type of attack feature is one that the data processing device can block. If so, the network data is blocked; if not, the cloud device is instructed to notify maintenance personnel to perform blocking.
7. The method of claim 6, wherein, If the type of the first type of attack feature is a malicious attack feature that requires remote processing, then an exception handling notification is output, including: The processing priority of the network data is determined based on the degree of attack on the long-distance wireless communication network according to the attack characteristics of the first type of attack. The notification method is determined based on the processing priority of the network data. Output the exception handling notification according to the notification method described above.
8. A data processing device, characterized by include: The data acquisition module is used to acquire network data in long-distance wireless communication networks; An attack signature detection module is used to detect attack signatures in the network data. The attack feature detection module is further configured to transmit the network data to a cloud device if the network data has a first type of attack feature, so that the cloud device can perform abnormal data processing on the network data. The first type of attack feature refers to suspicious attack features or malicious attack features requiring remote processing. The cloud device performs abnormal data processing on the network data as follows: if the first type of attack feature is a malicious attack feature requiring remote processing, the cloud device outputs an abnormal processing notification, which instructs maintenance personnel to block the network data from accessing the long-distance wireless communication network. The abnormal processing notification includes the malicious attack feature requiring remote processing and related information about it, including the impact of the malicious attack feature requiring remote processing on the long-distance wireless communication network. The maintenance personnel determine the blocking priority for the network data based on the impact of the malicious attack feature requiring remote processing on the long-distance wireless communication network. If the first type of attack feature is a suspicious attack feature, the cloud device performs abnormal data storage and analysis on the network data. An intrusion blocking module is used to block the network data from accessing the long-distance wireless communication network if the network data has the characteristics of a second type of attack; the second type of attack characteristics refers to malicious attack characteristics that need to be processed locally. Wherein, after storing abnormal network data, if the cloud device detects the release of new attack characteristics, it sends the new attack characteristics to the data processing device and instructs the data processing device to match the first type of attack characteristics with the new attack characteristics; after determining that the first type of attack characteristics matches the new attack characteristics, the data processing device determines whether the first type of attack characteristics can be blocked locally by the data processing device. If so, it blocks the network data; if not, it instructs the cloud device to notify maintenance personnel to block the network data. Specifically, after storing abnormal network data, the cloud device calls an attack behavior analysis model to analyze the network data to determine whether the first type of attack feature is a malicious attack feature that needs to be blocked. If the first type of attack feature is determined to be a malicious attack feature that needs to be blocked, the cloud device adds a mark to the network data to be blocked. When blocking the network data with the mark to be blocked, the cloud device informs the data processing device of the analysis results of the network data. The data processing device then determines whether the first type of attack feature can be blocked by the data processing device. If it is, the network data is blocked. If not, the cloud device is instructed to notify maintenance personnel to block the data.
9. A cloud device, comprising: include: A receiving module is used to receive network data from a long-distance wireless communication network sent by a data processing device. The network data has a first type of attack characteristics, which includes suspicious attack characteristics or malicious attack characteristics that require remote processing. The first type of attack characteristics are determined by the data processing device when it performs attack characteristic detection on the network data. The processing module is used to perform abnormal data processing on the network data according to the type of the first type of attack characteristics; The processing module includes a security response module and a data analysis module. When the processing module performs abnormal data processing on the network data according to the type of the first type of attack characteristics: The security response module is configured to output an anomaly handling notification if the type of the first type of attack feature is a malicious attack feature requiring remote processing. The anomaly handling notification instructs maintenance personnel to block network data access to the long-distance wireless communication network. The anomaly handling notification includes the malicious attack feature requiring remote processing and related information about it, including the impact of the malicious attack feature requiring remote processing on the long-distance wireless communication network. Maintenance personnel determine the blocking priority for the network data based on the impact of the malicious attack feature requiring remote processing on the long-distance wireless communication network. The data analysis module is used to perform abnormal data storage and analysis on the network data if the type of the first type of attack feature is a suspicious attack feature. The processing module is further configured to, after storing abnormal network data, if a new attack signature is detected, send the new attack signature to the data processing device and instruct the data processing device to match the first type of attack signature with the new attack signature. After determining that the first type of attack signature matches the new attack signature, the data processing device determines whether the first type of attack signature is one that the data processing device can block locally. If so, the network data is blocked; if not, the cloud device is instructed to notify maintenance personnel to block the network data. The processing module is further configured to, after storing the network data as abnormal data, call the attack behavior analysis model to analyze the network data to determine whether the first type of attack feature is a malicious attack feature that needs to be blocked. If the first type of attack feature is determined to be a malicious attack feature that needs to be blocked, a mark to be blocked is added to the network data. When blocking the network data marked to be blocked, the analysis results of the network data are communicated to the data processing device so that the data processing device can determine whether the first type of attack feature can be blocked by the data processing device. If so, the network data is blocked; if not, the cloud device is instructed to notify maintenance personnel to perform blocking.
10. A computer device, comprising: include: A processor, adapted to implement one or more instructions; as well as A computer storage medium storing one or more first computer programs adapted for loading by a processor and executing the data processing method as described in any one of claims 1-5; or, the computer storage medium storing one or more second computer programs adapted for loading by a processor and executing the data processing method as described in any one of claims 6-7.
11. A computer storage medium, characterized in that The computer storage medium stores a first computer program, which, when executed by a processor, performs the data processing method as described in any one of claims 1-5; the computer storage medium also stores a second computer program, which, when executed by a processor, performs the data processing method as described in any one of claims 6-7.
12. A computer product, comprising: The computer product includes a first computer program stored in a computer storage medium, wherein a processor reads the first computer program from the computer storage medium, causing the computer device to execute the data processing method as described in any one of claims 1-5; the computer product further includes a second computer program stored in the computer storage medium, wherein a processor reads the second computer program from the computer storage medium, causing the computer device to execute the data processing method as described in any one of claims 6-7.